LDAP EN: различия между версиями
Нет описания правки |
|||
(не показаны 3 промежуточные версии этого же участника) | |||
Строка 1: | Строка 1: | ||
[[LDAP_EN|en]] | [[LDAP|ru]] | [[LDAP_EN|en]] | [[LDAP|ru]] | ||
'''ATTENTION: This section applies to ERP "UserSide" versions 3.13.21 and above.''' | |||
ERP ''UserSide'' allows a limited amount of LDAP interaction functionality. | |||
Due to the fact that userside has its own flexible access rights system with profiles, access by ip-address, etc. - This requires the mandatory creation of an '( staff/operator)' user in userside in advance, even when working with LDAP. | |||
== Requirements == | |||
To interact with servers using the LDAP protocol, the PHP LDAP extension (php-ldap) must be installed. | |||
== Settings == | |||
Settings - Main - Personnel - LDAP | |||
[[Файл:2023-06-16_16-52.png|центр]] | |||
Make the required settings and save | |||
* '''Host''' - The address of your LDAP server | |||
* '''Port''' - LDAP port. The default is 389 | |||
* '''TLS''' - If your server uses the TLS encryption protocol, enable this option | |||
* '''LDAP Login''' - The user name for connecting the LDAP client to the LDAP server | |||
* '''LDAP Password''' - This user's password | |||
* '''Base DN''' - search base - the directory object from which the search is initiated | |||
* '''Filter''' - The filter that the user is searched for from the directory. Instead of ''[username]'' the user name entered in the login form will be automatically substituted. Thus, for example, if the user admin is logged in, the filter will be applied: (cn=admin). The field to be filtered must contain user names corresponding to the user names in userside. | |||
* '''LDAP Attribute - Username''' - The name of the LDAP attribute containing the user name (not the first and last name). It is mandatory. | |||
* '''LDAP Attribute - Firstname''' - The name of the LDAP attribute containing the name (from first name). If not filled, the name will not be taken from the LDAP directory. | |||
* '''LDAP Attribute - Lastname''' - The name of the LDAP attribute containing the surname (from first name) If not filled in - the surname will not be taken from the LDAP directory. | |||
There may be a problem when you enable LDAP server operation in this section but configure it incorrectly. Then you will not be able to enter UserSide at all and disable LDAP operation. To log in, open the userside3/main/config/config.php configuration file and add the line | |||
$isLdapAuthorization = 0; | |||
Save the file and log in to the ERP "UserSide". Authorisation via LDAP will be disabled. | |||
== Diagnostics == | |||
For a diagnostic, you will need the ldapsearch utility included in the ldap-utils suite. Install this package on the ERP "UserSide" server: | |||
sudo apt install ldap-utils | |||
Now from the ERP "UserSide" server, query your LDAP server as follows: | |||
ldapsearch -h <ldap_server_address> -p 389 -x -LLL -D "<ldap_username>" -W -b "<base_dn>" "<filter>" cn | |||
where: | |||
* <ldap_server_address> - LDAP server host address | |||
* <ldap_username> - user name for connecting to the LDAP server | |||
* <base_dn> - directory object, starting from which the search | |||
* <filter> - filter of the search in the directory. For example: (cn=anton) | |||
For example: | |||
ldapsearch -h ldap.company.net -p 389 -x -LLL -D "userside" -W -b "DC=mycompany" "(cn=anton)" cn | |||
Once the command has been executed, you will need to enter the LDAP server access password. | |||
Once you have successfully connected to the server and searched for a user in the directory, transfer all values from this line to the ERP "UserSide" settings. Instead of the user name in the filter, specify <code>[username]</code> to make the filter look like this, for example: <code>(cn=[username])</code>. |
Текущая версия от 14:31, 16 июня 2023
ATTENTION: This section applies to ERP "UserSide" versions 3.13.21 and above.
ERP UserSide allows a limited amount of LDAP interaction functionality.
Due to the fact that userside has its own flexible access rights system with profiles, access by ip-address, etc. - This requires the mandatory creation of an '( staff/operator)' user in userside in advance, even when working with LDAP.
Requirements
To interact with servers using the LDAP protocol, the PHP LDAP extension (php-ldap) must be installed.
Settings
Settings - Main - Personnel - LDAP
Make the required settings and save
- Host - The address of your LDAP server
- Port - LDAP port. The default is 389
- TLS - If your server uses the TLS encryption protocol, enable this option
- LDAP Login - The user name for connecting the LDAP client to the LDAP server
- LDAP Password - This user's password
- Base DN - search base - the directory object from which the search is initiated
- Filter - The filter that the user is searched for from the directory. Instead of [username] the user name entered in the login form will be automatically substituted. Thus, for example, if the user admin is logged in, the filter will be applied: (cn=admin). The field to be filtered must contain user names corresponding to the user names in userside.
- LDAP Attribute - Username - The name of the LDAP attribute containing the user name (not the first and last name). It is mandatory.
- LDAP Attribute - Firstname - The name of the LDAP attribute containing the name (from first name). If not filled, the name will not be taken from the LDAP directory.
- LDAP Attribute - Lastname - The name of the LDAP attribute containing the surname (from first name) If not filled in - the surname will not be taken from the LDAP directory.
There may be a problem when you enable LDAP server operation in this section but configure it incorrectly. Then you will not be able to enter UserSide at all and disable LDAP operation. To log in, open the userside3/main/config/config.php configuration file and add the line
$isLdapAuthorization = 0;
Save the file and log in to the ERP "UserSide". Authorisation via LDAP will be disabled.
Diagnostics
For a diagnostic, you will need the ldapsearch utility included in the ldap-utils suite. Install this package on the ERP "UserSide" server:
sudo apt install ldap-utils
Now from the ERP "UserSide" server, query your LDAP server as follows:
ldapsearch -h <ldap_server_address> -p 389 -x -LLL -D "<ldap_username>" -W -b "<base_dn>" "<filter>" cn
where:
- <ldap_server_address> - LDAP server host address
- <ldap_username> - user name for connecting to the LDAP server
- <base_dn> - directory object, starting from which the search
- <filter> - filter of the search in the directory. For example: (cn=anton)
For example:
ldapsearch -h ldap.company.net -p 389 -x -LLL -D "userside" -W -b "DC=mycompany" "(cn=anton)" cn
Once the command has been executed, you will need to enter the LDAP server access password.
Once you have successfully connected to the server and searched for a user in the directory, transfer all values from this line to the ERP "UserSide" settings. Instead of the user name in the filter, specify [username]
to make the filter look like this, for example: (cn=[username])
.